ProHoster > Блог > Gudanarwa > Yadda ake Shigar da Amfani da AIDE (Babban Mahalli Ganowa) akan CentOS 8

Yadda ake Shigar da Amfani da AIDE (Babban Mahalli Ganowa) akan CentOS 8

Kafin a fara karatun "Linux Administrator" Mun shirya fassarar abu mai ban sha'awa.

Yadda ake Shigar da Amfani da AIDE (Babban Mahalli Ganowa) akan CentOS 8

AIDE na nufin “Babban Haɓaka Gane Kutse” kuma yana ɗaya daga cikin shahararrun tsarin don sa ido kan canje-canje a tsarin aiki na tushen Linux. Ana amfani da AIDE don kariya daga malware, ƙwayoyin cuta da gano ayyukan da ba su da izini. Don tabbatar da amincin fayil da gano kutse, AIDE ta ƙirƙira bayanan bayanan fayil kuma ta kwatanta halin yanzu na tsarin tare da wannan bayanan. AIDE yana taimakawa rage lokacin binciken abin da ya faru ta hanyar mai da hankali kan fayilolin da aka gyara.

Siffofin AIDE:

  • Yana goyan bayan halayen fayil daban-daban, gami da: nau'in fayil, inode, uid, gid, izini, adadin hanyoyin haɗin gwiwa, mtime, ctime da atime.
  • Taimako don matsawa Gzip, SELinux, XAttrs, Posix ACL da halayen tsarin fayil.
  • Yana goyan bayan algorithms iri-iri ciki har da md5, sha1, sha256, sha512, rmd160, crc32, da sauransu.
  • Aika sanarwa ta imel.

A cikin wannan labarin, za mu kalli yadda ake shigarwa da amfani da AIDE don gano kutse akan CentOS 8.

Abubuwan da ake bukata

  • Sabar yana gudana CentOS 8, tare da aƙalla 2 GB na RAM.
  • tushen shiga

Farawa

Ana ba da shawarar sabunta tsarin farko. Don yin wannan, gudanar da umarni mai zuwa.

dnf update -y

Bayan an ɗaukaka, sake kunna tsarin ku don canje-canje su yi tasiri.

Shigar da AIDE

Ana samun AIDE a cikin tsoffin ma'ajiyar CentOS 8. Kuna iya shigar da shi cikin sauƙi ta hanyar aiwatar da umarni mai zuwa:

dnf install aide -y

Da zarar an gama shigarwa, zaku iya duba sigar AIDE ta amfani da umarni mai zuwa:

aide --version

Ya kamata ku ga wadannan:

Aide 0.16

Compiled with the following options:

WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_CURL
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

Akwai zaɓuɓɓuka aide ana iya kallo kamar haka:

aide --help

Yadda ake Shigar da Amfani da AIDE (Babban Mahalli Ganowa) akan CentOS 8

Ƙirƙirar da ƙaddamar da bayanan bayanai

Abu na farko da kuke buƙatar yi bayan shigar da AIDE shine fara farawa. Ƙaddamarwa ya ƙunshi ƙirƙirar bayanai (hoton hoto) na duk fayiloli da kundayen adireshi akan sabar.

Don fara bayanan bayanai, gudanar da umarni mai zuwa:

aide --init

Ya kamata ku ga wadannan:

Start timestamp: 2020-01-16 03:03:19 -0500 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	49472

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : 4N79P7hPE2uxJJ1o7na9sA==
  SHA1     : Ic2XBj50MKiPd1UGrtcUk4LGs0M=
  RMD160   : rHMMy5WwHVb9TGUc+TBHFHsPCrk=
  TIGER    : vkb2bvB1r7DbT3n6d1qYVfDzrNCzTkI0
  SHA256   : tW3KmjcDef2gNXYqnOPT1l0gDFd0tBh9
             xWXT2iaEHgQ=
  SHA512   : VPMRQnz72+JRgNQhL16dxQC9c+GiYB8g
             uZp6uZNqTvTdxw+w/IYDSanTtt/fEkiI
             nDw6lgDNI/ls2esijukliQ==


End timestamp: 2020-01-16 03:03:44 -0500 (run time: 0m 25s)

Umurnin da ke sama zai haifar da sabon bayanan bayanai aide.db.new.gz a cikin kasida /var/lib/aide. Ana iya ganin ta ta amfani da umarni mai zuwa:

ls -l /var/lib/aide

Sakamako:

total 2800
-rw------- 1 root root 2863809 Jan 16 03:03 aide.db.new.gz

AIDE ba zai yi amfani da wannan sabon fayil ɗin bayanai ba har sai an sake masa suna aide.db.gz. Ana iya yin haka kamar haka:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Ana ba da shawarar cewa ku sabunta wannan bayanan lokaci-lokaci don tabbatar da cewa ana kula da canje-canje da kyau.

Kuna iya canza wurin bayanan ta hanyar canza siga DBDIR cikin fayil /etc/aide.conf.

Gudun dubawa

AIDE yanzu yana shirye don amfani da sabon bayanan bayanai. Gudun gwajin AIDE na farko ba tare da yin wasu canje-canje ba:

aide --check

Wannan umarnin zai ɗauki ɗan lokaci don kammala ya danganta da girman tsarin fayil ɗin ku da adadin RAM akan sabar ku. Da zarar scan din ya gama ya kamata ka ga wadannan:

Start timestamp: 2020-01-16 03:05:07 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Fitowar da ke sama ta ce duk fayiloli da kundayen adireshi sun dace da bayanan AIDE.

Gwajin AIDE

Ta hanyar tsoho, AIDE ba ya bin diddigin tushen tushen tushen Apache /var/www/html. Bari mu saita AIDE don duba shi. Don yin wannan kuna buƙatar canza fayil ɗin /etc/aide.conf.

nano /etc/aide.conf

Ƙara layin sama "/root/CONTENT_EX" mai zuwa:

/var/www/html/ CONTENT_EX

Na gaba, ƙirƙirar fayil aide.txt a cikin kasida /var/www/html/ta amfani da umarni mai zuwa:

echo "Test AIDE" > /var/www/html/aide.txt

Yanzu gudanar da rajistan AIDE kuma tabbatar cewa an gano fayil ɗin da aka ƙirƙira.

aide --check

Ya kamata ku ga wadannan:

Start timestamp: 2020-01-16 03:09:40 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

Mun ga cewa an gano fayil ɗin da aka ƙirƙira aide.txt.
Bayan nazarin canje-canjen da aka gano, sabunta bayanan AIDE.

aide --update

Bayan sabuntawa za ku ga abubuwan da ke biyowa:

Start timestamp: 2020-01-16 03:10:41 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

Umurnin da ke sama zai haifar da sabon bayanan bayanai aide.db.new.gz a cikin kasida 

/var/lib/aide/

Kuna iya ganin ta tare da umarni mai zuwa:

ls -l /var/lib/aide/

Sakamako:

total 5600
-rw------- 1 root root 2864012 Jan 16 03:09 aide.db.gz
-rw------- 1 root root 2864100 Jan 16 03:11 aide.db.new.gz

Yanzu sake sake suna sabon bayanan bayanai domin AIDE yayi amfani da sabon bayanan don bin diddigin canje-canje. Kuna iya sake suna kamar haka:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Gudu sake bincika don tabbatar da cewa AIDE na amfani da sabon bayanan bayanai:

aide --check

Ya kamata ku ga wadannan:

Start timestamp: 2020-01-16 03:12:29 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Muna sarrafa cak

Yana da kyau a yi rajistar AIDE kowace rana kuma a aika da rahoton. Ana iya sarrafa wannan tsari ta atomatik ta amfani da cron.

nano /etc/crontab

Don gudanar da rajistan AIDE kowace rana a 10:15, ƙara layin mai zuwa zuwa ƙarshen fayil ɗin:

15 10 * * * root /usr/sbin/aide --check

AIDE yanzu za ta sanar da ku ta wasiƙa. Kuna iya duba wasikunku tare da umarni mai zuwa:

tail -f /var/mail/root

Ana iya duba log ɗin AIDE ta amfani da umarni mai zuwa:

tail -f /var/log/aide/aide.log

ƙarshe

A cikin wannan labarin, kun koyi yadda ake amfani da AIDE don gano canje-canjen fayil da gano damar uwar garken mara izini. Don ƙarin saituna, zaku iya shirya fayil ɗin sanyi /etc/aide.conf. Don dalilai na tsaro, ana ba da shawarar adana bayanan bayanai da fayil ɗin daidaitawa akan kafofin watsa labarai masu karantawa kawai. Ana iya samun ƙarin bayani a cikin takaddun Dokar AIDE.

Koyi game da kwas.

source: www.habr.com

Add a comment